CFPB takes down digital payment processor for deceptive practices

The Consumer Financial Protection Bureau has ordered Iowa-based online payment company, Dwolla, Inc, to pay a $100,000 civil money penalty for allegedly deceiving consumers about its data security practices. The bureau also ordered the company to “fix its security practices.” This is the bureau’s first data security enforcement action.

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said CFPB Director Richard Cordray. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

According to the CFPB, since December 2009, Dwolla has collected and stored consumers’ sensitive personal information and provided a platform for financial transactions. As of May 2015, it had more than 650,000 users and had transferred as much as $5 million per day. For each account, Dwolla collects personal information—including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.

Consent Order. According to the bureau’s consent order, Dwolla violated Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act (12 U.S.C. §§ 5563, 5565) by engaging in deceptive acts and practices relating to false representations about its data security practices. The bureau charged that Dwolla falsely claimed its security practices “exceed” or “surpass” industry standards while failing to employ “reasonable and appropriate measures’ to protect consumers’ data. Further, Dwolla claimed that “its information is securely encrypted and stored” while failing to encrypt the data and releasing applications to the public before testing whether they were secure. However, the CFPB charged that the company’s security practices “fell far short of its claims.”

Under the order, in addition to paying $100,000 to the CFPB’s Civil Penalty Fund, Dwolla is required to: (1) stop misrepresenting its data security practices; and (2) properly train employees on company data security policies and procedures and on how to protect consumers’ personal information.

Stipulation. Without admitting or denying any wrongdoing, Dwolla stipulated to the facts described in Section IV of the order and consented to the issuance of the order.